Certbot w/acme-dns manual w/dns auth

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: oinctelpro.com

I ran this command: sudo certbot -vvv certonly -d “oinctelpro.com” -d “*.oinctelpro.com” --agree-tos --manual-public-ip-logging-ok --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --debug-challenges

It produced this output: I lost the second TXT/CNAME string. Now it won’t show me the first one, but I have that in clipboard app.

My web server is (include version): gatling, haven’t gotten that far. acme-dns is on localhost to http with certbot.

The operating system my web server runs on is (include version): ubuntu 18 disco or the newer.

My hosting provider, if applicable, is: vultr.

I can login to a root shell on my machine (yes or no, or I don’t know): ssh yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0 with Ubuntu’s golang go which is almost newest, with github acme-dns.

yandex dns keeps butting in and blocking out my acme-dns, so I’ll have to put all my txt/cname records into yandex dns for the first round. I may have been as close as just not knowing I had to make two txt/cname _acme-challenge, for wildcard.

Even with acme-dns ns in registrar’s ns slot, yandex still manages to pig out. I tried putting an NS entry for acme-dns in yandex dns, but that never worked, even with sub-domain for auth/acme like many people do.

I can kludge through manual method, if I can see the two _acme-challenge keys again. I’m writing a bash hook to make the entries in yandex dns by api, if that works. I got it to list current state so I can grep that and go back to either edit, or add, the api calls for POST. First time I’ll probably just do it all manual though.

I can’t get certbot to show me those keys, so I’m going to try to get it to make new certs by adding a second domain and its wildcard to one cert. “certbot certificates” shows none and -vvv just prints the same json that’s on disk and I can’t make out the two txt/cname keys from that.

Hi @RPD

if you have lost the second TXT entry, then start new.

Two domain names -> so you have to create two TXT entries with

_acme-challenge.oinctelpro.com

as domain name and two different values.

1 Like

Alright and if I have the TXT records, I don’t need that CNAME people talk about?

Here I go

1 Like

The txt records need to be changed every time a new certificate is requested. So at least every 90 days.

2 Likes

If you can create these TXT entries and if you use --manual, you don't need a CNAME.

1 Like

In case you are unable to automate your DNS it is smart to redirect the requests let’s encrypt make to a DNS you can automate - to do that you need CNAME records

2 Likes

OK I can read more about CNAME here

Also to allow for automatic cron job renewal I may have to write a Yandex API hook, because even with domain registrar serving acme-dns as authoritative nameserver, yandex ns will take over and so far I can’t set an NS record for acme-dns that works in yandex, it just does nothing no matter how much auth subdomain and A record or none, whatever, nothing works there. So temporarily, I have to manually put my TXT into yandex, or temp disable yandex nameservers at domain registrar! “Test”, fully manual to that extent.

Yandex does have an API so if it works I could set _acme-challenge TXT.

1 Like

mkdir -p ~/.acme-dns ; touch ~/.acme-dns/register.raw ~/.acme-dns/register.env ; chmod 700 ~/.acme-dns ; chmod 600 ~/.acme-dns/* ; curl -X POST http://localhost:81/register | tee ~/.acme-dns/register.raw | sed -E '/^[^"]+.([^"]+)[:"]+([^"]+)[,"]+([^"]+)[:"]+([^"]+)[,"]+([^"]+)[:"]+([^"]+)[,"]+([^"]+)[:"]+([^"]+)[^[]+.([^]]*).*$/s//\1="\2"\n\3="\4"\n\5="\6"\n\7="\8"\nallowfrom="\9"/' > ~/.acme-dns/register.env

I saved the user, password, and the other strings I’ll need for CNAME and TXT, so I won’t get “lost” this time.

1 Like

I thought I had _acme-challenge CNAME and a test TXT working, but unless I let yandex dns be my only name server at registrar, different nameservers return different results and yandex API returns “migrate” status which means evidently they want to be the only nameservers at registrar. Google and Internic nameservers follow correctly, finding acme-dns, and consequently the CNAME and TXT. Erwin Hoffman’s ipv6 version of DJB dnscache says “wrong question”, which may mean “glue” is being used at google and internic nameservers. If DJB crew and yandex are on the same page, I should try just yandex nameservers at registrar, then work with yandex api to add/edit CNAME and possibly just put the TXT in there, too, though I was really trying to avoid that. OK I’ve just changed registrar ns to only yandex, not acme here. Give that a little time.

You can not setup Nameserver from different company’s for your domain.

You may use diffent name servers for a sub domain, but do not mix them.
Somthing linke that is possible:
oinctelpro.com - @ yandex.ru
Sub.oinctelpro.com @ cloudflare.com

Do you want to host the Name Server for the validation on the Webserver itself?
There for your webserver needs to be reachable on TCP+UPD Port 53.

If you do, you dont need an cname, just create
a NS record for “_acme-challenge” pointing to your webservers FQDN. On your webserver setup a DNS server and create the zone “_acme-challenge.oinctelpro.com” there you can create the txt records without a name - sometimes it is called “same as parent”.

Repeat the steps for all sub domains

That's exactly what acme-dns does. That's the point of running it.

@RPD, I'm not sure I'm following your setup. Here's how I have acme-dns set up, using Cloudflare for the rest of my DNS. I have it running on acme.mydomain.tld. I have the following records at Cloudflare:

acme.mydomain.tld NS ns.acme.mydomain.tld
ns.acme.mydomain.tld A (my IP)
_acme-challenge.mydomain.tld CNAME random.acme.mydomain.tld (repeated for each hostname and domain I'm using)

I think you're expecting that the A record above shouldn't be needed at your DNS host. I see the logic in that, but I don't know how else the Internet would know how to find the IP address for ns.acme. to properly direct the rest of the queries.

Edit: If it helps, here's a thread I posted last year that helped me understand how it works:

Now I’ve tried giving yandex the TXT record, just a 43 char test phrase, to go with CNAME, and then it can’t serve the TXT by going through CNAME or directly. Unless I’m missing a technicality somewhere, yandex dns is out.

There’s an auth.oinctelpro.com. zone on the Yandex nameservers. Can you tell how that got there?

auth.oinctelpro.com.    900     IN      NS      dns1.yandex.net.
auth.oinctelpro.com.    900     IN      NS      dns2.yandex.net.

OK at this point, I know we’re out of the woods–yandex dns WILL serve its(my) NS record for acme-dns as nameserver for our subdomain in which now all we have to do is serve a TXT record:

bob@laptop host -vvv -tns letsencrypt.xqme.com dns1.yandex.net
Trying “letsencrypt.xqme.com
Using domain server:
Name: dns1.yandex.net
Address: 213.180.204.213#53
Aliases:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8459
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;letsencrypt.xqme.com. IN NS

;; AUTHORITY SECTION:
letsencrypt.xqme.com. 12640 IN NS ackme.letsencrypt.

Received 69 bytes from 213.180.204.213#53 in 264 ms
…so now I’m in the classic situation, and perhaps just need yandex to refresh on ackme.subdomain.example.org and then CNAME in yandex dns will go to acme-dns and acme-dns will in the absolutely conventional way serve the TXT record. Test:

bob@laptop host -vvv -ttxt _acme-challenge.xqme.com dns1.yandex.net
Trying “_acme-challenge.xqme.com”
Using domain server:
Name: dns1.yandex.net
Address: 213.180.204.213#53
Aliases:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24814
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.xqme.com. IN TXT

;; ANSWER SECTION:
acme-challenge.xqme.com. 12640 IN TXT "test______"

;; AUTHORITY SECTION:
xqme.com. 900 IN NS dns2.yandex.net.
xqme.com. 900 IN NS dns1.yandex.net.

Done.

Interestingly yandex dns will now not serve its own A records for either subdomain letsencrypt.xqme.com and letsencrypt.oinctelpro.com, or that subdomain’s A record for the nameserver ackme.letsencrypt.xqme.com or ackme.letsencrypt.oinctelpro.com. That is all working as yandex respecting yet “hiding” or making a child of acme-dns ns which is perfectly ok. I can get my certs and certbot will auto-update certs because yandex dns will child acme-dns all the way through to reporting back the TXT including for “www”:

bob@laptop host -vvv -ttxt _acme-challenge.www.xqme.com dns1.yandex.net
Trying “_acme-challenge.www.xqme.com”
Using domain server:
Name: dns1.yandex.net
Address: 213.180.204.213#53
Aliases:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55023
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.www.xqme.com. IN TXT

;; ANSWER SECTION:
acme-challenge.www.xqme.com. 12640 IN TXT "test______"

;; AUTHORITY SECTION:
xqme.com. 900 IN NS dns2.yandex.net.
xqme.com. 900 IN NS dns1.yandex.net.

It seems like the obvious answer would be to change to a DNS host that doesn’t suck. Is there a reason that isn’t possible?

1 Like

The way to get along with yandex dns is to make NS records for dns1.yandex.net, dns2.yandex.net, and gangname.style.oinctelpro.com in BOTH yandex dns cpanel AND in our /etc/acme-dns/config.cfg “records” struct for the acme-dns subdomain. I’m not sure if I also had to make that TXT record for yandex, their “spf” item.

user@oinctelpro:~$ host -vvv -ttxt _acme-challenge.oinctelpro.com dns1.yandex.net
Trying “_acme-challenge.oinctelpro.com”
Using domain server:
Name: dns1.yandex.net
Address: 2a02:6b8::213#53
Aliases:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65466
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1

;; QUESTION SECTION:
;_acme-challenge.oinctelpro.com. IN TXT

;; ANSWER SECTION:
_acme-challenge.oinctelpro.com. 12640 IN CNAME f9118e81-1ecf-4507-b86e-1bb9b0239d4e.style.oinctelpro.com.

;; AUTHORITY SECTION:
style.oinctelpro.com. 12640 IN NS dns1.yandex.net.
style.oinctelpro.com. 12640 IN NS dns2.yandex.net.
style.oinctelpro.com. 12640 IN NS gangname.style.oinctelpro.com.

;; ADDITIONAL SECTION:
gangname.style.oinctelpro.com. 12640 IN A 155.138.162.222

…how I convinced yandex dns not to kill acme-dns A record as soon as I set acme-dns for NS record on subdomain [auth|acme|whatever].any.org

Now we can put the usual CNAMEs in major dns provider, in this case yandex dns, and then handle our acme-dns TXT record as usual at [auth|acme|whatever].any.org so that certbot et al clients can auto-renew our certs as cron job. Just read the typical tutorials for acme-dns “auth” and “acme” subdir, CNAME, TXT, once we do the unusual thing at yandex dns of setting three NS records for acme-dns subdomain, and also three NS records in /etc/acme-dns/config.cfg “records”.

OK I didn’t know if the TXT would come through like this. It works:

user@oinctelpro:~$ host -vvv -ttxt _acme-challenge.oinctelpro.com 8.8.8.8
Trying “_acme-challenge.oinctelpro.com”
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39237
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.oinctelpro.com. IN TXT

;; ANSWER SECTION:
acme-challenge.oinctelpro.com. 12639 IN CNAME f9118e81-1ecf-4507-b86e-1bb9b0239d4e.style.oinctelpro.com.
f9118e81-1ecf-4507-b86e-1bb9b0239d4e.style.oinctelpro.com. 3599 IN TXT "test
__________________"

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.